1 / 13

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks

Hervey Allen Network Startup Resource Center. PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks. Overview: What is a “DDoS”. DDoS  “Distributed Denial of Service” Attack DOS  “Denial of Service” Attack

lada
Télécharger la présentation

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hervey Allen Network Startup Resource Center PacNOG 6: Nadi, FijiDealing with DDoS Attacks

  2. Overview: What is a “DDoS” DDoS “Distributed Denial of Service” Attack DOS  “Denial of Service” Attack “A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. It generally consists of the concerted efforts of a person or people to prevent an Internetsite or service from functioning efficiently or at all, temporarily or indefinitely.”* *http://en.wikipedia.org/wiki/DDoS#Distributed_attack

  3. Automated DDoS Attacks

  4. Overview: How to Mitigate DDoS • Ingress/Egress filters • Capacity • Contingency Response • Firewalls • Separation of services • Monitor traffic flow • Monitor services • Monitor your logs

  5. Ingress Filters See PacNOG5 Network Security Track for details: http://www.pacnog.org/pacnog5/track3/index.html RFC2827 (BCP38) – Ingress Filtering If an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering should be used to prohibit traffic which claims to have originated from outside of these aggregated announcements. The ONLY valid source IP address for packets originating from a customer network is the one assigned by the ISP (whether statically or dynamically assigned). An edge router could check every packet on ingress to ensure the user is not spoofing the source address on the packets which he is originating.

  6. Egress Filters Deny Broadcast Packets from infected machines.

  7. Add Capacity • This is expensive! • Overbuild on network infrastructure: • Routers • Switches • Verify servers have extra capacity. This is what larger organizations are doing today. It’s expensive. Many of you are temporarily “protected” from DDoS due to incoming network bandwidth.

  8. Contingency Response • Have a plan  • Know who to call • Do you have the technical contacts for your upstream provider? • Your technicians. Do you have a way to contact them during off-hours. • Which services are critical. Can others be dropped? Turned off? • Can you temporarily add capacity if necessary?

  9. Firewalls • In Linux you can use iptables: • Rules are stored in a file. First rule is generally “deny all”$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP • Rules look something like… ipfw add deny tcp from evil.doers.org to nice.people.org 22 ipfw add deny log tcp from evil.crackers.org/24 to nice.people.org • Large, in-depth discussion here: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

  10. Separation of Services • Often services are targeted, such as: • web • dns • ftp • mail • Try to place these on separate machines. • Or, move a service to another machine if necessary. • Place services on different parts of your network (other IP address ranges…)

  11. Monitor Traffic Flow • Using tools like Netflow, NfSen, Smokeping, etc. • Configure alarms for traffic thresholds.

  12. Monitor Services • Lots and lots of tools for this. • Nagios, Cacti, Smokeping we’ve seen this week. • Trigger alarms when service degrades.

  13. Monitor Logs • We just learned about this! • Be sure you do it! • Swatch, syslog, syslog-ng, etc. • Monitor your log file sizes. You can do this with Cacti, Nagios, scripts. • Use your logs for forensic research: $ sudo grep ssh /var/log/messages | less

More Related